Opinion: Surety and PGP aid developers in getting a bigger picture of info assurance.
The dominant theme of data protection discussions is one of
preserving secrets. Much less attention gets paid to the problem of
ensuring datas availability—not
to mention verifiability—rather than limiting it. I spoke this month
with representatives of
Surety about their technology for addressing
all
four elements of affirmative data access management:
confidentiality,
authentication,
integrity
and
nonrepudiation.
Surety describes its product as "trusted time-stamp service"—which is sort of like calling a Porsche Carrera "personal
transportation." The companys
AbsoluteProof
service offers its own four-point list of key criteria for data
assurance that people will actually use: "independent, portable,
persistent and transparent." The service is independent of the party
that has a stake in proving a data items attributes; the
authentication can travel with the data and be verified by the
recipient; the verification is durable, and the use of the technology
can be made invisible to the user.
For anyone who actually knows anything about
encryption
technology and practice, I hardly need to say anything more about
Suretys
ideas: The concept
isnt nearly as hard to grasp as, say,
string theory. In
crypto, the critical thing these days is less often the concept than
the
implementation. As noted
in eWEEK.coms widely viewed
slide show, "The Dirty Dozen IT Embarrassments," even something as simple
as
correctly
seeding a random number generator may be the difference between
potential and actual crypto strength.
Thats why I was struck, in particular, by one element of Suretys
approach. The company periodically publishes a
hash
value, as plain old
text
in a classified ad in The New York Times, that reliably
demonstrates the integrity of its entire process. This is a rare
concrete example of the often vacuous phrase, "thinking outside the
box"—which brings to most peoples minds, I suspect, an image of
climbing out of a metaphorical box of confined perceptions, but which
most likely
derives
from the famous puzzle of the nine dots.
The paradox of most digital systems is that people try to use the
system, or a parallel system with shared failure modes, to monitor and
maintain function: a proposition that has
a certain
hall-of-mirrors paradoxical feel, and that leads to painful calculations of just how much safety is needed -- and how much its worth to achieve that level of protection. Surety jumps
out of that
self-referential
paradox by
using another medium, one with completely different
failure
modes, as an outside check on its process. Well done.
Also helping developers to avoid getting boxed in by data assurance
difficulties is
PGP Corporation,
with its
announcement
this month of a massive portfolio of updates to its encryption
product line—with a general theme (its always wrong to generalize)
of making enterprise encryption more of a unified environment rather
than a cobbled-up collection of separate tools and doctrines. Theres
not much more that I can say thats not addressed in my
August
interview with PGP director of product management John Dasher, but
theres
more
from PGP at its site.
Tell me what kinds of assurance you wish you could get at
peter_coffee@ziffdavis.com
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor
Larry Seltzers Weblog.
Email
Print
